Eight make the list, with one having actually been exploited in the wild. Though whether this was used maliciously or just someone rooting their own device is unclear. None of the vulnerabilities are newly disclosed.

According to Ars Technica, the two critical fixes address vulnerabilities found in the libstagefright Android media library. These allowed users to execute harmful code on users' devices, and Google has been working with device manufacturers and carriers to get on top of the issue over the past several months.

These updates come just as Zimperium Mobile Security has released proof of concept code showing how the Stagefright vulnerabilities could be exploited.

Mitigation Techniques Used To Prevent Exploitation:

Remote exploitation for many issues on Android versions 4.1 (Jelly Bean) and higher is mitigated by enhancements in the Address Space Layout Randomization (ASLR) algorithm used in those versions. Android 5.0 improved ASLR by requiring PIE (position-independent executable) for all dynamically linked executables further strengthening the ASLR protection. We encourage all users to update to the latest version of Android where possible.

The Android Security team is actively monitoring for abuse of issues with Verify Apps and SafetyNet which will warn about potentially harmful applications about to be installed. Device “rooting” tools are prohibited within Google Play. To protect users who install applications from outside of Google Play, Verify Apps is enabled by default and will warn users about known Rooting applications. Verify Apps will block installation of known “malicious” applications that exploit a privilege escalation vulnerability. If such an application has already been installed, Verify Apps will attempt to automatically remove any such applications and notify the user.

As appropriate, Google has updated the Hangouts and Messenger applications so that media is not automatically passed to vulnerable processes (such as Mediaserver.)

my mate's aunt makes $98 consistently on the PC.........After earning an average of 19952 Dollars monthly,I'm finally getting 98 Dollars an hour,just working 4-5 hours daily online....It's time to take some action and you can join it too.It is simple,dedicated and easy way to get rich.Three weeks from now you will wishyou have started today - I promise!!....HERE I STARTED-TAKE A LOOK AT......imt......

Do you want an OS that people mock for the lack of security, or do you want a secure device that will need to be [annoyingly] updated every so often to enjoy root access?

Theo

i want root! i don't care of anyone that is mocking android. in my opinion the security is ok the last years. i just want to do whatever i want to the os so i can work it like i want.

Régis Knechtel

Well, Google had to choose beetween pleasing you and a few other tech nerds like myself or most of the users and companies who want/need a secure OS.

Theo

yes i know. the thing is that there is no other alternatives OS for us power user that like to play with their phones. i would like to believe that in the future there will continue to provide to us bootloader unlocked devices like nexus so we can do what we want to do...

azul

I don't know if it's currently possible but I'm sure that eventually Ubuntu touch will be the destination.

Dianne Hackborn

If you want root, get a device that supports "fastboot oem unlock" -- like all the Nexus devices do.

brkshr

"Device “rooting” tools are prohibited within Google Play."

"Verify Apps is enabled by default and will warn users about known Rooting applications."

All their doing here is making it a little harder to obtain a rooting app and warning you if you side load a rooting app. They aren't closing rooting methods yet.

Android 6.0 may be a different story though, because you have to install a custom kernel to obtain root on the dev previews.

gotluck

if im not mistaken, that was required for initial rooting on lollipop too, then chainfire found some other solution - we shall see!

brkshr

I believe you are right

pfmiller

That's always been the case because, like it or not, getting root access inappropriately is a huge security problem.

blackice85

It's kind of inherent yeah, and it's better for most people to not have immediate access. Unless Google starts going out of their way to prevent people from rooting or accessing the bootloader, then I don't have any problems with their approach here.

jak_341

Great! So how and when are these going to get pushed out to all the Android phones?

"...showing *wow* the Stagefright vulnerabilities could be exploited."

Ali Mahdavi

Hurrah!!!
I love changelogs!

Bruno Martins

Got yesterday in my Moto G 2015 :)

Hugo

For realz?

Bruno Martins

Yes in the changelog said starfright fix..

antonio cesar

thats the first round of stagefright fixes, not this one. the sources for this have been uploaded yesterday, no way motorola could sync with their branch and send to google certification + receive google certifications on the same day

A prerequisite for reading and commenting on this article is to know what CVEs are? You don't see the relation between waiting on a promised Android update, and the fact this article is talking about an Android update?

Yes, this article was about updates to the Android operating system, not updates for Inbox for Android. The only purpose of this update was to address and mitigate the discovered CVEs.

Either Inbox support doesn't know what they are talking about, or you misunderstood the scope of the problem. Less than a percent of app crashes are caused by a bug in the operating system. Your problem is not a special case.